immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2025-12-17 09:13:17 +03:00
Code Issues Packages Projects Releases 16 Wiki Activity

fix: cross site scripting issue on /share pages (#16255)

Browse Source
This commit is contained in:
Jason Rasmussen
2025-02-22 06:32:53 -05:00
committed by GitHub
parent caea3a0812
commit e4b6efc1f5
4 changed files with 58 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
server/src/services/api.service.ts
View File

@@ -2,6 +2,7 @@ import { Injectable } from '@nestjs/common';
import { Cron, CronExpression, Interval } from '@nestjs/schedule';
import { NextFunction, Request, Response } from 'express';
import { readFileSync } from 'node:fs';
import sanitizeHtml from 'sanitize-html';
import { ONE_HOUR } from 'src/constants';
import { ConfigRepository } from 'src/repositories/config.repository';
import { LoggingRepository } from 'src/repositories/logging.repository';
@@ -12,21 +13,25 @@ import { VersionService } from 'src/services/version.service';
import { OpenGraphTags } from 'src/utils/misc';
const render = (index: string, meta: OpenGraphTags) => {
const [title, description, imageUrl] = [meta.title, meta.description, meta.imageUrl].map((item) =>
item ? sanitizeHtml(item, { allowedTags: [] }) : '',
);
const tags = `
<meta name="description" content="${meta.description}" />
<meta name="description" content="${description}" />
<!-- Facebook Meta Tags -->
<meta property="og:type" content="website" />
<meta property="og:title" content="${meta.title}" />
<meta property="og:description" content="${meta.description}" />
${meta.imageUrl ? `<meta property="og:image" content="${meta.imageUrl}" />` : ''}
<meta property="og:title" content="${title}" />
<meta property="og:description" content="${description}" />
${imageUrl ? `<meta property="og:image" content="${imageUrl}" />` : ''}
<!-- Twitter Meta Tags -->
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:title" content="${meta.title}" />
<meta name="twitter:description" content="${meta.description}" />
<meta name="twitter:title" content="${title}" />
<meta name="twitter:description" content="${description}" />
${meta.imageUrl ? `<meta name="twitter:image" content="${meta.imageUrl}" />` : ''}`;
${imageUrl ? `<meta name="twitter:image" content="${imageUrl}" />` : ''}`;
return index.replace('<!-- metadata:tags -->', tags);
};